OWASP Top 10 in 2021
This page contains a glossary of the OWASP TOP 10 application security risks and serves as a navigation guide through the most widespread vulnerabilities in modern web applications and APIs:
OWASP A01:2021 (Broken Access Control) include improper, weak or otherwise flawed access restrictions and privilege management errors that may allow remote attacker to gain access to restricted resources of the web application or of its environment. This business-logic vulnerability frequently occurs in insecure implementations of RESTful APIs and HTTP/S microservices, where an unprivileged user can gain access to the data or functionality intended for other application users or for privileged users only. Read more about broken access control.
OWASP 02:2021 (Cryptographic Failures) security flaws commonly from flawed web application’s architecture or various application logic errors. Cryptographic failure often leads to disclosure of personal data, financial information, healthcare records or other regulated data. Likewise, compromised data can be exploited against web application users in phishing attacks, identity theft and social engineering campaigns. Read more about cryptographic failures.
OWASP A03:2021 (Injection) covers diversified injection vulnerabilities and security flaws including SQL and NoSQL injections, OS command injection and LDAP query manipulations. Injection vulnerabilities are usually caused by improper or insufficient input validation by the web application. Injections allow remote attackers to inject, alter or execute arbitrary code, SQL queries or commands on the vulnerable system, leading to data exfiltration, website and even entire web server breach. Read more about injections.
OWASP A04:2021 (Insecure Design) is intended to be used for cases that cover security issues, related to application design and architectural flaws. This section covers 40 CWEs, such as unprotected storage of credentials (CWE-256), generation of error messages with sensitive information (CWE-209), insufficiently protected credentials (CWE-522). Read more about insecure design.
OWASP A05:2021 (Security Misconfiguration) security weaknesses are mostly about erroneous or insecure configuration of web application and its environment. In case of successful exploitation, combined with other security vulnerabilities from the OWASP Top Ten list, security misconfigurations may cause a considerable damage and disastrous data breaches. For instance, the attacker may be able to bypass security restrictions, gain unauthorized admin access to the system and eventually compromise the web application and web server environment. Read more about security misconfigurations.
OWASP A07:2021 (Identification and Authentication Failures) security vulnerabilities are related to insufficient authentication or incorrect session management by the web application. Remote attacker might be able to bypass poorly implemented authentication validation process to gain unauthorized or excessive access to the web application or impersonate other application’s users. Under certain conditions, broken authentication may lead to compromise of the web server and the related infrastructure such as databases or connected cloud storage. Read more about identification and authentication failures.
OWASP A08:2021 (Software and Data Integrity Failures) covers issues, related to software updates, CI/CD pipelines without integrity verification, and critical data. Most notable vulnerabilities in this section are deserialization of untrusted data (CWE-502) and download of code without integrity check (CWE-494). Read more about software and data integrity failures.
OWASP A09:202 (Security Logging and Monitoring Failures) is the last element of the OWASP Top 10 list. Timely detection of malicious activities and attacks is essential for modern cyber defenders and includes proper logging of security events, timely reaction to incidents and protection of security logs from tampering or deletion. This can be achieved by implementing holistic and centralized logging for web applications and meticulous monitoring and inspection of anomalous or suspicious HTTP requests or user behavior patterns. Known web attack patterns, spanning from primitive password bruteforcing to seemingly legitimate HTTP requests sent from IP addresses known to participate in hacking campaigns, should be all logged and investigated by the Blue Team or SOC analysts. Read more about security logging and monitoring failures.
OWASP A10:2021 (Server-Side Request Forgery or SSRF) covers SSRF vulnerability cases. An attacker can use this vulnerability to force application initiate requests to internal systems or the localhost. This vulnerability was proved quite effective during 2021 and used widely by malicious actors in both targeted and mass attacks (e.g. against Microsoft Exchange users - CVE-2021-26855). Read more about server-side request forgery.